It would be better just to make sure you have the latest stable version of Apache than go through this much trouble trying to hide the service name. Even without it, good scanners can detect what the software is (particularly something well-used like Apache or IIS) just based on how it responds to requests.
–
romandasApr 9 '10 at 16:13

7 Answers
7

I don't believe you can hide the server type from NMap, as it's clever enough to detect software type from handshake negotiation, fault handling etc. As for OpenSSH, from the FAQ:

2.14 - Why does OpenSSH report its version to clients?

OpenSSH, like most SSH
implementations, reports its name and
version to clients when they connect,
e.g.

SSH-2.0-OpenSSH_3.9

This information is used by clients
and servers to enable protocol
compatibility tweaks to work around
changed, buggy or missing features in
the implementation they are talking
to. This protocol feature checking is
still required at present because the
SSH protocol has not been yet
published as a RFC and more
incompatible changes may be made
before this happens.

Ok a blue window should have popped up, now look at the bottom and notice the commands. We want to use search so press control+w make sure "Search for text string" is in white hit enter. Now type "OpenSSH" hit enter and you will be directed to the exact part you need to modify.

It will look like this, just change everything that is in red to 0 and you will end up with what i have below. If you want to type something else Press TAB and type what you want into the ascii part, just remember there is no backspace.

It's not a configurable option. In both cases you would need to make changes to the source code.

OpenSSHrelies on the version banner in order to negotiate certain features and quirks between the server and client. You can find older patches for such changes like this which you may be able to adapt for newer releases.

For Apache there has been some discussion in the past and more recently about an Off option to ServerTokens which would remove the product name. But I believe it's been vetoed each time. Again you may wish to use or adapt some available patches but you would be out there on your own.

Frankly you would remain more secure, and indeed more reliable than deviating from the release, by just ensuring that the software gets updated when required. Hiding this information might put off some drive-by attackers. But it won't do you any good against blind scripted or more determined attacks.